|

Possible Csrf Attack On Product Option Add
Posted 10 August 2015 - 09:00 AM #1
I am having a huge problem on product option add.
I have added 60 variantson a single option, although there are 60 more to add. But couldn't add anymore because the after I hit the "SAVE" button, it redirects to dashboard and says "action denied : POSSIBLE CSRF ATTACKED".
I have enable/disable the anti_csrf variable tue/false but in any case it is not working.
Please help me
Thank you
Thomas
Posted 10 August 2015 - 09:21 AM #2
One Step Checkout Addon - The ultimate checkout experience
Best CS-Cart SEO addon - CS-Cart SEO Ultimate Addon
PM for 365-day support and custom development service
Posted 10 August 2015 - 01:50 PM #3
Maybe you have some restrictions on your server.
Please check post_max_size setting on your server and try to increase this to solve this issue.
Thank you.
ADD-ONS | Web development service | CS-Cart dedicated developers
Buy MULTIVENDOR - USD 1250 (14% off) | Buy CS-CART LICENCE - USD 345 (13% off)
Email - manager@alt-team.com | Skype - Altteam
Posted 11 August 2015 - 08:16 AM #4
CS-Cart USD 345 Multi-Vendor USD 1250 Multi-Vendor PLUS USD 3100 (2775)
CS-Cart Ultimate USD 775 CS-Cart + YOUPI USD 545 Multi-Vendor Ultimate USD 7500 (6000)
Posted 25 September 2015 - 08:35 AM #7
Appear to be i have the same issue when adding 100 options. However, the steps outlined above does not help. Does anyone has any suggestions?
I change them as following:
@ /usr/local/cpanel/3rdparty/etc/php.ini
post_max_size = 256M
max_input_vars = 2000
Posted 25 September 2015 - 09:30 AM #8
In fact the amount of input vars for 100 options can be greater than 2000
CS-Cart USD 345 Multi-Vendor USD 1250 Multi-Vendor PLUS USD 3100 (2775)
CS-Cart Ultimate USD 775 CS-Cart + YOUPI USD 545 Multi-Vendor Ultimate USD 7500 (6000)
Posted 25 September 2015 - 01:55 PM #9
I have tryed "max_input_vars = 10000" and higher, but still no luck.
Posted 11 October 2015 - 04:34 PM #10
Have made the necessary settings changes as mentioned above, cannot add more than 70 options on any product without the CSFR attack error message...
Anyone have any other ideas?
Posted 11 October 2015 - 07:58 PM #11
When you set the value, can yu verify that it is set to the value you expect using ini_get('max_input_vars')?
EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.
Posted 12 October 2015 - 11:31 AM #12
I have increased the sizes of the attributes mentioned to silly values like "max_input_vars = 100000" and post_max_size = 1024M and yes verified in phpinfo() that the settings have taken...
I once managed to get 73 random items added as variables to an option but ever since they have failed... I have deleted cache (that's when it worked for 73 variants) all to pretty much no avail.
Very frustrating anyone got any ideas? I'm kind of shooting in the dark here
TIA
Posted 12 October 2015 - 12:17 PM #13
Ok after some serious messing around it seems I have found it, for anyone that might experience this check whether your server has suhosin hardened extension installed. I had to make some changes in there, I cannot say for sure which ones it was that helped it work but these are the changes I added to my php.ini
; Filtering Options suhosin.cookie.max_array_depth = 100 suhosin.cookie.max_array_index_length = 64 suhosin.cookie.max_name_length = 64 suhosin.cookie.max_totalname_length = 256 suhosin.cookie.max_value_length = 50000 suhosin.cookie.max_vars = 100 suhosin.get.max_array_depth = 50 suhosin.get.max_array_index_length = 64 suhosin.get.max_name_length = 64 suhosin.get.max_totalname_length = 256 suhosin.get.max_value_length = 512 suhosin.get.max_vars = 10000 suhosin.get.disallow_nul = On suhosin.post.max_array_depth = 100 suhosin.post.max_array_index_length = 64 suhosin.post.max_totalname_length = 256 suhosin.post.max_value_length = 100000 suhosin.post.max_vars = 10000 suhosin.request.max_array_depth = 100 suhosin.request.max_array_index_length = 64 suhosin.request.max_totalname_length = 256 suhosin.request.max_value_length = 65000 suhosin.request.max_vars = 2000 suhosin.request.max_varname_length = 128 suhosin.upload.remove_binary = Off suhosin.session.max_id_length = 128
Hope this helps someone out
Mark